346673 - firefox crashes on svg file [@ nsSVGCairoRectRegion::Combine]

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Wolfgang]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5
Build Identifier: Firefox/1.5.0.5

Hi,

firefox crashes when I want to open that file locally:

https://perswww.kuleuven.ac.be/~u0049353/svg/map_new_normal.svg

It was created with inkscape, it also went through the svg validator at http://jiggles.w3.org/svgvalidator/ without problems

Reproducible: Always

Steps to Reproduce:
i. e. drag and drop of the file on firefox
Actual Results:  
firefox crashes completely

Expected Results:  
it should display the graphic

Comment 1

[Wolfgang]

Attachment: firefox crashes on that file

Comment 2

[Ryan Jones-Ward [:sciguyryan]]

WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060730 Minefield/3.0a1 - Build ID: 2006073004

Can you reproduce with a clean profile?

Comment 3

[Ria Klaassen (not reading all bugmail)]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060728 BonEcho/2.0b1
TB21625269H  TB21625324Q

Incident ID: 21625269
Stack Signature	nsSVGCairoRectRegion::Combine 247c0f2f
Product ID	Firefox2
Build ID	2006072803
Trigger Time	2006-07-31 08:01:42.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0026f4a7)
URL visited	
User Comments	
Since Last Crash	4538 sec
Total Uptime	16800 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoRegion.cpp, line 120
Stack Trace 	
nsSVGCairoRectRegion::Combine  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoRegion.cpp, line 120]
nsSVGPathGeometryFrame::GetCoveredRegion  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 353]
nsSVGPathGeometryFrame::PaintSVG  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 257]
nsSVGGFrame::PaintSVG  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGFrame.cpp, line 134]
nsSVGOuterSVGFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp, line 845]
nsContainerFrame::PaintChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsContainerFrame::PaintChildren  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228]
nsHTMLContainerFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84]
CanvasFrame::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 385]
PresShell::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5825]
nsView::Paint  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 316]
nsViewManager::RenderDisplayListElement  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1460]
nsViewManager::RenderViews  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1375]
nsViewManager::Refresh  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1348]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4564]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1536]
USER32.dll + 0x8734 (0x77d18734)
USER32.dll + 0x8816 (0x77d18816)
USER32.dll + 0xb4c0 (0x77d1b4c0)
USER32.dll + 0xb50c (0x77d1b50c)
ntdll.dll + 0xeae3 (0x7c90eae3)
USER32.dll + 0x8a10 (0x77d18a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 4

[Ria Klaassen (not reading all bugmail)]

In trunk there has also been a crash on this picture but it was repaired between 1.9a1_2006060908 and 1.9a1_2006060912: TB21626150K.
I don't know if it has any connection with this bug. It was not repaired immediately: only the crash, the picture was still not displayed. So possibly this is a new case.

Comment 5

[Holger Will]

Attachment: reduced tescase

testcase

i've reduced the file to a simple testcase, what i've observed is that if you have marker-start or marker-end on a shape that has also a fill="none" crashes, after removing either the fill or the marker it does not crash anymore, also any other value of fill does not cause a crash, oddly marker-mid does not crash at all.

Comment 6

[Holger Will]

Attachment: testcase nocrash

this file is the same as the testcase, but with fill="none" removed.
this does not crash.

Comment 7

[tor]

Attachment: handle null region for base geometry

Comment 8

[tor]

Attachment: diff -w version of above

Comment 9

[tor]

*** Bug 346707 has been marked as a duplicate of this bug. ***

Comment 10

[Jonathan Watt [:jwatt]]

Comment on attachment 231445 [details] [diff] [review]
handle null region for base geometry

r=jwatt

Comment 11

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 231445 [details] [diff] [review]
handle null region for base geometry

>Index: layout/svg/base/src/nsSVGPathGeometryFrame.cpp

>+  nsISVGRendererRegion *retval = region.get();
>+  NS_IF_ADDREF(retval);
>+  return retval;

How about:

  nsISVGRendererRegion *retval = nsnull;
  region.swap(retval);
  return retval;

?  Should be a tad faster....

Comment 12

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 231445 [details] [diff] [review]
handle null region for base geometry

(Is the pointer coming from RegionMark a newly created object or a member?  If the latter, are you sure that callers don't expect the object returned to be newly created.)

a=dbaron on behalf of drivers.  Please land on MOZILLA_1_8_BRANCH and mark fixed1.8.1 once you have done so.

Comment 13

[tor]

Attachment: Checkin version - with bz's suggested change.

The object from RegionMark is newly allocated.

Comment 14

[tor]

Checked in on MOZILLA_1_8_BRANCH.

Comment 15

[Daniel Veditz [:dveditz]]

Comment on attachment 231680 [details] [diff] [review]
Checkin version - with bz's suggested change.

approved for 1.8.0. branch, a=dveditz for drivers

Comment 16

[tor]

Attachment: Checkin version for 1.8.0 branch

Comment 17

[tor]

Checked in on MOZILLA_1_8_0_BRANCH.

Comment 18

[alice nodelman [:alice] [:anode]]

reduced testcase https://bugzilla.mozilla.org/attachment.cgi?id=231421&action=view should not crash browser

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/2006082203 BonEcho/2.0b2

verified 1.8.1b2

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre

verified 1.8.0.7